Saturday, June 24, 2017

CSE to get foreign cyber operations mandate

Among the changes that the Liberal government is proposing to make via its Bill C-59, announced on June 20th, are several important measures affecting CSE, including an entirely new statutory basis for the agency, the Communications Security Establishment Act, that will replace the current CSE-related provisions of the National Defence Act. The bill also proposes to eliminate CSE's existing watchdog agency, the Office of the CSE Commissioner (OCSEC), and replace it with two newly created entities, the National Security and Intelligence Review Agency (NSIRA) and the Office of the Intelligence Commissioner, which will also be keeping tabs on CSIS and (in the case of NSIRA) a number of other agencies. (See my comments on that aspect of the bill here.)

Together, the proposals affecting CSE comprise a wide-ranging and highly consequential set of measures, but probably the most significant item is the plan to give the agency the power to conduct both defensive and "active" (i.e., offensive) cyber operations against foreign targets.

When CSE, originally called CBNRC, was created in September 1946, it had two major complementary functions: analysis of foreign communications intercepted by Canada and its allies (communications intelligence, COMINT, which was later broadened into signals intelligence, SIGINT); and protection of Canadian government classified communications (communications security, COMSEC, which was later broadened into information technology security, ITSEC).

Canada and its allies occasionally engaged in black-bag jobs to steal codebooks, tap cables, or plant bugs for intelligence collection, but CSE did not undertake such operations itself. For most of the agency's history, CSE's SIGINT role was entirely passive: it processed and analyzed the radio communications that could be monitored at Canadian and allied intercept sites.

The first big change in that role happened in the wake of the 9/11 attacks, although it had more to do with the advent of the Internet beginning in the 1990s. Passage of the Anti-Terrorism Act gave CSE the authority to conduct the cyberspace version of the black-bag job—Computer Network Exploitation (CNE)—in support of its SIGINT mandate. CSE was empowered not just to intercept communications ("data in motion"), as it had done in traditional SIGINT activities, but to seek out information residing on foreign computer systems ("data at rest") that CSE could gain surreptitious access to. It became a hunter as well as a gatherer.

But while CNE operations entail breaking into computer systems and networks, disabling security features, implanting specialized malware, and of course copying information, all of these activities are undertaken in the name of SIGINT collection. Any damage inflicted is purely incidental—an undesirable side-effect that might lead to exposure and early termination of the operation.

The proposed CSE Act would enable CSE to conduct deliberate Computer Network Attack (CNA) operations, both to defend Canadian IT systems against foreign CNE and CNA operations and to attack foreign IT systems in furtherance of Canadian foreign policy, defence, or security goals. The bill refers to these two types of CNA operation as "defensive cyber operations" and "active cyber operations" respectively. (For more on the relationships between CNE, CNA, and CND—Computer Network Defence—operations, see this discussion.)

With this change, CSE would no longer be simply an intelligence (and ITSEC) agency: it would also be a covert operations agency, able to intervene outside Canada's borders to disrupt, damage, or destroy the computers, IT networks, or electronic information of foreign individuals, groups, or states.

The bill does propose some limits on the way these powers could be used. Cyber operations must be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. In addition, such operations must not "cause, intentionally or by criminal negligence, death or bodily harm to an individual" or "wilfully attempt in any manner to obstruct, pervert or defeat the course of justice or democracy." These are significant limitations.

Even in that respect, however, CSE might still play a critical role. Under the new CSE Act, CSE would be explicitly permitted to provide operational and technical assistance to the Department of National Defence and the Canadian Forces (as it already does for federal law enforcement and security agencies), and cyber assistance provided under this mandate would not be subject to the limitations applied to CSE's own cyber operations.

Whatever the effect of these limitations in practice, to my mind addition of a cyber operations mandate is a huge change in the nature of the agency, and it raises a number of issues.

Most fundamentally, is it in Canada's interest to further normalize the growing use of CNA activities by states? Should CNA be classified as just another tool of statecraft? Should such capabilities be restricted to a deterrent role? Is cyber deterrence, whether through CNA capabilities or more conventional responses, even a practical goal, given difficulties of attribution and the inevitable overlap between CNE and CNA? Would improved defence and resilience be a preferable, or at least sufficient, response or are all three required?

The recent defence policy statement asserts that "a purely defensive cyber posture is no longer sufficient" (resilience doesn't get mentioned in the cyber context). But not everyone is convinced by that claim. As with most issues, Canada's choices are likely to have a marginal influence at best on the future of cyberspace, but that alone is not sufficient reason to abandon self-restraint or efforts to create global rules of the road and preserve the global commons if we believe that Canada's (and the globe's) ultimate interests would best be served by moving in that direction.

Second, even if Canada does choose to arm itself with, and to use, such capabilities, is CSE the right place to lodge them? There is certainly a case to be made for giving the role to CSE. The knowledge and skills required for CNA activities inevitably overlap with those required for CNE (and for CND), and CSE is Canada's centre of expertise in those activities.

But just as there are different imperatives between intelligence-gathering and law enforcement—the reason CSIS was separated from the RCMP in 1984—there are different imperatives between intelligence-gathering and covert operations. One side seeks to preserve its accesses so it can maintain or even improve its intelligence collection; the other seeks to exploit them for operational purposes, even though such operations may burn the accesses in the process. (A similar conflict already exists between the ITSEC side of the organization, which seeks to shut down IT vulnerabilities to protect against intrusions, and the SIGINT side, which may want vulnerabilities it is currently exploiting to remain unrevealed.)

Furthermore, while the job of the intelligence-gatherers is to report the unvarnished truth, uncontaminated as much as possible by policy considerations, the covert operations side of the agency would inevitably become involved in the development and advocacy of operational plans, and in defending the agency's performance in those operations, giving CSE an undesirable stake in its own intelligence reporting.

Can a single agency effectively do two (really three) tasks that are in many ways complementary but also in important ways contradictory while still giving proper attention and weight to each?

I don't think it's impossible to reconcile these imperatives, but I do think it requires delicate balancing and constant vigilance. This is an area to which the proposed review agency and committee of parliamentarians may want to pay on-going attention.

It's also an area where there is probably a role for the central agencies of the government.

I had a chance to ask about cyber operations decision-making during a stakeholders' teleconference about Bill C-59 that CSE invited me to join.

As noted above, the proposed law would require that such operations be requested or consented to by the Minister of Foreign Affairs and authorized by the Minister of National Defence. This arrangement foresees the possibility that the Foreign Affairs Minister might sometimes make a request for a cyber operation in service of Canadian foreign policy interests. But the ministers themselves are not normally going to be sitting around thinking up plans for CSE cyber operations, nor will they be equipped to assess what might be feasible or balance all the considerations that might arise. So who will be doing the proposing, and who will make sure the resulting plans are reconciled with the broader goals and operations of the Canadian government?

The officials who took part in the teleconference acknowledged that CSE would probably often be the agency proposing such operations, but they agreed that there would still need to be some sort of inter-departmental process to ensure that wider factors are considered, including deconfliction with cyber operations that the Canadian Forces might be undertaking (and deconfliction with allied agencies), but also more general considerations. They added, however, that the bill had not yet been passed and might be amended before passage, and that some of these structural questions had not yet been resolved.

For most of its history, CSE laboured under the watchful eye (or heavy thumb, as they may have considered it) of various inter-departmental committees—originally the Communications Research Committee and later the Intelligence Advisory Committee and Security Advisory Committee of the Privy Council Office (PCO). The final form of this system saw the National Security Advisor serving as the deputy minister for CSE for policy purposes. But all of that ended when CSE became a stand-alone agency, with the Chief of CSE serving as the agency's own deputy head, in November 2011. There is no longer any line role for the PCO between CSE and its minister.

But the PCO continues to play a role in coordinating the various elements of the Canadian intelligence community, and in integrating intelligence and defence, security, and foreign policy concerns. And, in my view, it will need to play a very active role in overseeing the planning and conduct of any cyber operations undertaken by CSE and/or the Canadian Forces to ensure that all national policy considerations are taken into account. The PCO is also the place to ensure that the proper balance among CSE's cyber, SIGINT, and ITSEC priorities is maintained.

I also asked the officials what the addition of a cyber operations mandate for CSE might mean for the agency's own structure and resources. Will there be a separate Deputy Chief for Cyber Operations, just as there are Deputy Chiefs for SIGINT and ITSEC? Will CSE be looking to expand its workforce to support the conduct of cyber operations?

According to the officials, those decisions have not yet been made, and the agency did not want to pre-judge the outcome of the legislative process. Still, I'm sure they have some ideas for how it might all work out.

They did say that CSE was likely to enter the cyber operations business only gradually, taking "one step at a time," and adding that "you have to walk before you can run." This would seem to suggest little immediate need for growth on the part of the agency, although the implied eventual goal of "running" opens the door to larger needs over the longer term.

I guess we'll see.

In the meantime, I think it is going to be very interesting watching this soon-to-be three-legged agency relearn how to walk.

I'll look at other parts of the bill that affect CSE, notably the new oversight and review provisions, in a future post.